Petraeus’s mail client – not Gmail – likely behind affair bust

As you surely have heard by now, David Petraeus, former commander of the Afghanistan war, resigned as Director of the CIA on Friday after the FBI inadvertently discovered that he was having an affair with his biographer, Paula Broadwell. You may have also heard that Petraeus’s philandering was uncovered thanks to “Gmail location data.” Problem is, that’s not entirely accurate.

Petraeus’s undoing, the Cliffs Notes version

In case you’re not yet up to speed with this whole Petraeus thing, here’s a quick overview of what happened: Last summer, the FBI received a report from a woman named Jill Kelley, 37, an “influential” person in Tampa, Florida, which is home to the U.S. military’s Central Command (CENTCOM), that someone was sending her “harassing” emails. The mysterious sender was telling Kelley to “back off” and “stay away” from an unnamed man. Kelley wanted the FBI to find out if a cybercrime was being committed.

Because Kelley was a friend of members of the law enforcement agency, the FBI obliged: It found that the emails were sent from an anonymous Gmail address, which they eventually confirmed belonged to Broadwell and her husband, who live in North Carolina. The FBI then gained access to Broadwell’s other email accounts, and found sexually explicit emails coming from another anonymous Gmail user, who they would later discover was Petraeus himself.

[The FBI] learned that Ms. Broadwell and Mr. Petraeus had set up private Gmail accounts to use for their communications, which included explicit details of a sexual nature, according to U.S. officials. But because Mr. Petraeus used a pseudonym, agents doing the monitoring didn’t immediately uncover that he was the one communicating with Ms. Broadwell.

By late summer, after the monitoring of Ms. Broadwell’s emails uncovered the link to Mr. Petraeus, prosecutors and agents alerted senior officials at FBI and the Justice Department, including Mr. Holder, U.S. officials say. The investigators never monitored Mr. Petraeus’s email accounts, the officials say.

Metadata = megascrewed

The reason the FBI was able to figure out the identities of Broadwell and Petraeus was, at least in part, due to so-called metadata that is embedded in every email we send. The information contained in email metadata differs depending on which service is used; however, most email metadata includes sender email address, recipient email address, date and time that the email was sent, and IP addresses associated with sending and delivery of the email.

It is this last bit of info – IP addresses – that would have told the FBI where the various damning emails were coming from.

Outlook, not Gmail

This is what led Wired, Gizmodo, and (at least at first) The Atlantic to run stories implicating “Gmail location data” as the key detail that led to Petraeus’s downfall. But here’s the thing: Gmail does not display a sender’s IP address in its email metadata when an email is sent through Gmail’s website. And it hasn’t done so for at least the past four years – meaning it didn’t do so when Broadwell and Petraeus were sending each other secret love letters. (The Atlantic later updated its article to put less of the onus on Gmail.)

To confirm this, we sent ourselves a number of emails from various email addresses, starting with an email from and to the same Gmail account. We then took a look at the email “header,” the part of the message that contains all the juicy forensics data, but which is usually automatically hidden from most email users through the email user interface.

To access the header of any Gmail email, simply click the down arrow icon that appears next to the “reply” arrow in any Gmail message. Then click “Show Original.” This will give you that email message in its raw form, with the email header taking up a big chunk of space at the top, before the actual message.

Now, as you can see in the image below, the only IP address listed in the header of our email sent from Gmail’s website is 10.112.138.165. This is not your author’s IP address; it is the IP address of a Google server. In other words, when you send an email through Gmail.com, Google acts as a proxy, effectively hiding your location.

If, on the other hand, you send an email from a Gmail address – but rather than use Gmail.com, you do so through an email client like Microsoft Outlook – then your actual IP address will be added to the email header, thus allowing the FBI (or anyone else) to easily find out the physical location from which that email originated.

The same is true for Gmail emails sent from Apple’s Mail client for OS X, as well as Mozilla’s Thunderbird email client.

Below is what the email header sent from your author’s Gmail address to the same address looks like when using Outlook instead of Gmail.com to send an email:

The blurred out parts of the text is your author’s home IP address (plus local Internet service provider info). And the reason it’s blurred out is because anyone could type that IP address into a wide variety of Web tools, and instantly discover with terrifying accuracy where your author is currently writing in his dog hair-covered sweatpants.

The only real question that remains for Petraeus now – at least as far as his email habits go – is whether he’s a Mac or a PC. Given his extensive government service, we’re going to go with PC, which would likely mean that Microsoft Outlook is to blame for his secret getting out.

What this means for you

Most of us are never going to hold a high-level position in the U.S. government, nor will we be investigated by the FBI. So the differences between sending a Gmail email using Gmail.com or a desktop mail client are probably not that important. If, however, you want to be particularly covert in the emails you send, then your best bet is to use the Gmail website for your email communications.